2007-05-30 (水曜日) 22:43、Edward Wright さんは書きました:
> Thanks for your concern. Actually I have used iptables, ipchains and
> (if I remember the name right) ipfwadm before that.
<SNIP>
> Ipcop and smoothwall may be great programs, but I have an inate
> distrust of GUI and/or web based config tools. Especially where
> security is concerned, I would really want to know what they are
> doing. And by the time I figured that out, I might as well have done
> it myself, methinks. (Arguably, you're making a decision to trust
> someone at some point......)
I have the same feeling of distrust toward generated config files, whether
they are produced by a GUI or not, especially when it comes to security. I
totally understand your point of view that one needs to understand the output
of such tools, and that they therefore may as well just write it themselves.
I tried out various tools, however, and now use Shorewall for most of my
firewall needs...
One of the main reasons that I use Shorewall is that it seems more efficient.
As with programming or writing markup such as CSS, there are major benefits
to be gained by abstracting common ideas. A big sign of poorly written code
is repeated lines. iptables rules are directly processed by the system and
are therefore analogous to compiled bytecode, while systems like Shorewall
are analogous to higher level languages. For example, my home LAN has four
zones with different levels of trust. Each zone has unique settings of
course, but there are still common rules as well as rules for how each zone
can interact with each other. Using Shorewall allows me to specify the rules
very succinctly, which makes it more easy to maintain. Another example is my
laptop, where the firewall has to deal with wifi, eth0 (as well as aliases
for serving on more than one IP within trusted networks), and virtual
interfaces created for virtual machines. I have found that Shorewall saves
me a *lot* of trouble, and I can always inspect the output rules when I am
feeling paranoid.
To anyone who writes their own iptables rules but is interested in trying out
a higher level utility, I would recommend Shorewall as a good candidate. I
will include links to the homepage and documentation below. After starting
the service, be sure to run `iptables -L` and inspect the output. If nothing
else, you may learn some new tricks to include in your own rules; I sure did.
Cheers, Travis
http://www.shorewall.net/http://www.shorewall.net/shorewall_setup_guide.htmhttp://www.shorewall.net/shorewall_quickstart_guide.htmhttp://www.shorewall.net/XenMyWay-Routed.htmlhttp://www.shorewall.net/Documentation.html